Math Question As Age-Gate and Invite-A-Friend Under Fire

The Children’s Advertising Review Unit of the Council of Better Business Bureaus (“CARU”) routinely monitors web sites and mobile apps for compliance with its Guidelines and the Children’s Online Privacy Protection Act (“COPPA”). Through that routine monitoring, CARU recently discovered the information practices of the 1st through 7th grade mobile applications called Friendzy (e.g., 1st Grade Friendzy). Kids can play the games available in the apps without registering, but the games offer a registration feature to track the time spent on the app and see points earned. In-app purchases are also available. Registration required full name, username, password, email address, country, city, zip code and grade of the student. Here is what happened during registration:

If you clicked to register, a pop-up box presented the following statements: “Ask your parents. Parental permission is required to continue.”

The registration page included tabs at the top labeled STUDENT, PARENT AND TEACHER. PARENT was set as the default tab.

Then, a pretty basic math question with six possible answers was presented.

Incorrect answers resulted in a new question and you could keep going through questions until you got it right on the first try.

After registration, you could invite friends via email (the native email app on the device) or via text (the native text app on the device).

CARU pursued the following 3 issues:

Collection of personally identifiable information from children younger than 13 without prior parental consent during registration.

Allowing children younger than 13 to disclose personally identifiable information through the friends invite feature without prior parental consent.

Inconsistency between the apps’ privacy policy and the actual privacy practices.

WS Publishing, the operator of the Friendzy apps, agreed to remedy the noted issues by setting the default tab to STUDENT, removing the fields that collect last name and email address, removing the invite-a-friend feature and updating its privacy policy.

Given the operators quick agreement to remedy the noted issues, there is no part of the case report that describes any operator defenses. Instead, CARU includes several pages describing the guidelines and legal requirements applicable to the noted issues in the case. Much of the discussion details general COPPA compliance. However, we found this case notable for two of the apps' features: (1) the novel attempt at using a math question to ascertain age for COPPA purposes; and (2) the apps’ use of the native email and text applications on the device (i.e., outside of the app) for an invite-a-friend feature.

Not surprisingly, CARU found the math question deficient as a neutral age gating mechanism. CARU commented that many kids who are younger than 13 can answer basic math questions and, as mentioned above, you could just keep getting new questions and answer choices until you got the correct answer. Setting those deficiencies aside, CARU commented that even if the math questions were made more difficult, a correct answer would not identify age. In addition, while the FTC has not addressed this issue, I do not recommend using a math question as a COPPA compliant age-gating mechanism.

As discussed, for the Friendzy apps, the invite-a-friend feature launched the device’s native email or text applications, both of which are outside of the app itself. If a user decided to use those features, no information was collected by the app. Rather, the focus for that feature is on allowing the user (who could be a child) to disclose personal information publicly, which requires prior parental consent in most instances. Section I(3) of the FTC’s COPPA FAQs addresses this issue. The FAQ in question asks whether forward-to-a-friend systems can take advantage of COPPA’s exceptions to parental consent. The answer is that it depends, but allowing the potential child to reveal anything more than the recipient’s email address (and possibly the sender or recipient's first name) requires verifiable consent from the sender’s parent. The FTC also wrote that the forward-to-a-friend system “must not allow the sender to enter her full name, her email address, or the recipient’s full name. Nor may you allow the sender to freely type messages either in the subject line or in any text fields [of the communication to the friend].” Because the native email and text applications allow for disclosure of all sorts of personal information, CARU found that feature to be out of compliance with CARU's Guidelines and COPPA. It is my experience that many marketers and developers feel that having the app launch a native email or text application on a device is a panacea for compliance issues. This case is just one signal pointing to that being an unfounded belief.